The current spec requires reporting for a user agent to claim a conformant implementation.
A user agent, plugin or proxy could certainly provide a means for users to control this behavior. Many user agents have long provided the ability to, e.g. turn off loading of images, css or script, override page-specified fonts and colors, or disable cookies, and they could choose to do so for CSP or sub-features of CSP.
It is not traditional for these specifications to speak directly to such options as:
1) Whether and how to provide these controls is at the prerogative of the user and their user agent
2) A user agent so configured is not providing a compliant implementation of those specifications - it is opting out of doing so
Reporting and feedback is a core feature of and use case for CSP. I don't think there has been any interest expressed by members of the WG to make it optional for compliance purposes. I have similarly seen little or no interest by implementers in making it opt-in (vs opt-out) as CSP's reporting does not provide any qualitatively new functionality to resource authors (even with non-same origin reports) that hasn't been present since the introduction of JavaScript in 1995 - it only provides a declarative policy language to simplify their generation in a standard format.
-Brad Hill
From: Fred Andrews [mailto:fredandw@live.com]
Sent: Tuesday, October 16, 2012 3:37 PM
To: public-webappsec@w3.org
Subject: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
It would be appreciated if the WG could clarify if a browser conforming to CSP 1.0 is permitted to implement reporting as opt-in?
It was my understanding based on the decision of issue 11 and prior discussion on this list that CSP 1.0 required a UA to submit a report when requested by the server and thus that a server could depend on this. However a recent response suggests this may not be the consensus.
cheers
Fred